faicel/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Page: 09-Certbot-Lets-Encrypt
Pages
00-Architecture-Overview 01-System-Hardware 02-Operating-System 03-SSH-Hardening 04-Docker-Installation 05-Docker-Swarm 06-Network-Architecture 07-Stacks-Deployment 08-Reverse-Proxy 09-Certbot-Lets-Encrypt 10-TURN-server 11-PostgreSQL-Configuration 12-MinIO-Configuration 13-Forgejo-Configuration 14-Mattermost-Configuration 15-Backup-and-Recovery 16-Security-Checklist Home
1 09-Certbot-Lets-Encrypt
faycel edited this page 2026-02-26 20:37:48 +00:00
Table of Contents

This page documents the TLS certificate management using Certbot in Docker.

Snapshot date: 2026-02
Stack: infra
Mode: Docker Swarm

1. Purpose

Certbot is used to:

  • Obtain TLS certificates from Let's Encrypt
  • Store certificates persistently
  • Renew certificates automatically
  • Reload Nginx after renewal

Certificates are stored in:

/home/ubuntu/docker/swarm/infra/certbot/conf

Webroot challenge directory:

/home/ubuntu/docker/swarm/infra/certbot/www

2. Initial Certificate Generation

Run manually:

sudo docker run --rm \
  -v /home/ubuntu/docker/swarm/infra/certbot/conf:/etc/letsencrypt \
  -v /home/ubuntu/docker/swarm/infra/certbot/www:/var/www/certbot \
  certbot/certbot certonly \
  --webroot \
  --webroot-path=/var/www/certbot \
  -d mattermost.bhk-itsolutions.com \
  -d minio.bhk-itsolutions.com \
  -d code.bhk-itsolutions.com \
  --email your_email@example.com \
  --agree-tos \
  --expand \
  --non-interactive \
  --no-eff-email

After success, certificates are stored under:

/etc/letsencrypt/live/<domain>/

3. Nginx Integration

Nginx uses certificates from:

/etc/letsencrypt/live/<domain>/fullchain.pem
/etc/letsencrypt/live/<domain>/privkey.pem

These paths are mounted from the persistent volume:

/home/ubuntu/docker/swarm/infra/certbot/conf

4. Required Ports

Let's Encrypt HTTP challenge requires:

  • Port 80 open
  • DNS correctly configured

Verify UFW:

sudo ufw status

Ensure:

  • 80 allowed
  • 443 allowed

5. Automatic Renewal

Renewal is handled via cron.

Edit root crontab:

sudo crontab -e

Add:

0 3 * * * docker run --rm \
  -v /home/ubuntu/docker/swarm/infra/certbot/conf:/etc/letsencrypt \
  -v /home/ubuntu/docker/swarm/infra/certbot/www:/var/www/certbot \
  certbot/certbot renew --quiet && \
  docker service update --force infra_nginx

Explanation:

  • Runs daily at 03:00
  • Renews only if needed
  • Forces Nginx restart to reload certificates

6. Manual Renewal Test

Dry-run test:

sudo docker run --rm \
  -v /home/ubuntu/docker/swarm/infra/certbot/conf:/etc/letsencrypt \
  -v /home/ubuntu/docker/swarm/infra/certbot/www:/var/www/certbot \
  certbot/certbot renew --dry-run

7. Verify Certificate Expiry

Check expiry:

sudo docker run --rm \
  -v /home/ubuntu/docker/swarm/infra/certbot/conf:/etc/letsencrypt \
  certbot/certbot certificates

8. Security Notes

  • Certificates are valid for 90 days
  • Renewal should occur automatically before expiration
  • Always keep port 80 accessible for HTTP challenge
  • Never store private keys in Git
  • Backup the certbot volume regularly
  1. Architecture Overview
  2. System Hardware
  3. Operating System
  4. SSH Hardening
  5. Docker Installation
  6. Docker Swarm Configuration
  7. Network Architecture
  8. Stacks Deployment
  9. Reverse Proxy
  10. Certbot & Let's Encrypt
  11. TURN Server (Coturn)
  12. PostgreSQL Configuration
  13. MinIO Configuration
  14. Forgejo Configuration
  15. Mattermost Configuration
  16. Backup and Recovery
  17. Security Checklist